ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7

Analysis

max time kernel
141s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18/10/2024, 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe
Size

34KB
MD5

5e96f46ff4769775868d897b0ae5b9cc
SHA1

36ff426acbce40def9329b808bc79d1d8b94e614
SHA256

ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7
SHA512

119953cbfb6f136c9ac401d872558028cb3ed1086ba61e56ebd05b018c3989b4ba709652766b14ed03fa45f219df2c8469369653f36c100db8c9e0c35625370a
SSDEEP

384:fY/7iMmQgVC+02JWuCSPmSQTebw/UqFPpF5bGwpUZyjAEbjS7DFHvY3ECjm:y12JTPRQTeZq1bUWQD1Q3nS

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe

Executes dropped EXE 1 IoCs

pid	Process
4396	budha.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	budha.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1392 wrote to memory of 4396	1392	ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe	84
PID 1392 wrote to memory of 4396	1392	ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe	84
PID 1392 wrote to memory of 4396	1392	ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe	84

C:\Users\Admin\AppData\Local\Temp\ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe
"C:\Users\Admin\AppData\Local\Temp\ee48bff1f8ad92ccd405b5e5c0e26eb2d6fa5b7c729a7b876ec1685b58ca4ba7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1392
- C:\Users\Admin\AppData\Local\Temp\budha.exe
  "C:\Users\Admin\AppData\Local\Temp\budha.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\389AE366D2070CE536197E55125E2F0E

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\389AE366D2070CE536197E55125E2F0E

Filesize
420B

MD5
0683c0f45ae94a2a1dd3fda8379946d3

SHA1
9ea398196b411f9e6c2132b2cf7aff4c1cf11e67

SHA256
316e8165fe030898edb733039ec12e148c5ee9e882cab0822659eb08932873e5

SHA512
c1c83477680551cf75cce084dcc9ab0a22d15c67e049bd9fb6fdca6fa962218d6882fbc7d3cc4d53fe54d0498dfeb882ec8208de9d8f15f249e962c38fb483f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\budha.exe

Filesize
34KB

MD5
028709b3b53bf9f288e7a845479074a6

SHA1
c4e74a07078568b11b16f2e38c77c4e8be5baa40

SHA256
1388839c9619bbbccbab41fcbba05a82043e659b0cf5acb09790290e0fbbde61

SHA512
8642dd4fb5b23d9742ae6545b72f19e54bb661b80ac21fa1b946dacb0b1b645e8c585ce6bb37bb0d5a8b94b1cd44cc229b2fbd3661e65274fd9a72cd65c86e7d

Download Submit
memory/1392-0-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/1392-1-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1392-3-0x0000000002650000-0x0000000002A50000-memory.dmp

Filesize
4.0MB

Download
memory/1392-12-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/4396-14-0x0000000002510000-0x0000000002910000-memory.dmp

Filesize
4.0MB

Download
memory/4396-13-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/4396-48-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download